Category Archives: FortiGate

Troubleshooting your installation – FortiOS 6.2

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:

Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the LED specifications on page 43
Check the physical network connections Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.
Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can’t connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.
Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
Verify the static routing configuration

Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internetfacing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.
Verify that you can connect to the gateway provided by your ISP

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

Verify that you can communicate from the FortiGate to the Internet

Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

Verify the DNS configurations of the FortiGate and the PCs

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI

should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

Weight: Based on the difference in time zone between the FortiGate and this server l RTT: Return trip time l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed) l TZ: Server time zone l Curr Lost: Current number of consecutive lost packets l Total Lost: Total number of lost packets

Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface edit <interface> set macaddr <xx:xx:xx:xx:xx:xx>

end

Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the FortiGate, use the following CLI command:

diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl attributes

3 4 wan1 00:09:0f:cb:c2:77 88

3 4 wan1 00:26:2d:24:b7:d3 0

4 wan1 00:13:72:38:72:21 98
3 internal 00:1a:a0:2f:bc:c6 6

1 6 dmz 00:09:0f:dc:90:69 0 Local Static

3 4 wan1 c4:2c:03:0d:3a:38 81

3 4 wan1 00:09:0f:15:05:46 89

3 4 wan1 c4:2c:03:1d:1b:10 0

2 5 wan2 00:09:0f:dc:90:68 0 Local Static

Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate

GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on FortiExplorer for more details.

Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to confirm the reset.

If you require further assistance, visit the Fortinet Support website.

FortiCloud – FortiOS 6.2

Leave a reply

FortiCloud

FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiCloud offers a wide range of features:

Simplified central management — FortiCloud provides a central web-based management console to manage individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
Hosted log retention with large default storage allocated — Log retention is an integral part of any security and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and Security Events.
Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.
Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. For example, you may want to look closely at application usage or website violations. The reports can be emailed as PDFs and can cover different time periods.
Maintain important configuration information uniformly — The correct configuration of the devices within your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.
Service security — All communication (including log information) between the devices and the clouds is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

Registration and activation

FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but you can easily register and activate your account directly from your FortiGate.

Activating your FortiCloud account

On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your information, view and accept the terms and conditions, and select OK.
A second dialogue window appears, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.
Open your email, and follow the confirmation link it contains.

Results

A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will provide a link to the FortiCloud portal.

Enabling logging to FortiCloud

Go to Log & Report > Log Settings.
Enable Send Logs to FortiCloud.
Select Test Connectivity to ensure that your FortiGate can connect to the registered FortiCloud account.
Scroll down to GUI Preferences, set Display Logs/FortiView From, to see FortiCloud logs within the FortiGate’s GUI.

Logging into the FortiCloud portal

Once logging has been configured and you have registered your account, you can log into the FortiCloud portal and begin viewing your logging results. There are two methods to reach the FortiCloud portal:

If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License Information Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website

(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiCloud account you are connecting to and then you will be granted access. Connected devices can be remotely configured using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for a long period of time.

Cloud sandboxing

FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection, select the FortiSandbox type.

Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only appears after a file has been sent for sandboxing.

For more information about FortiCloud, see the FortiCloud documentation.

FortiGuard – FortiOS 6.2

1 Reply

FortiGuard

The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.

The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats. The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the network with the latest information.

FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security, including:

Intrusion Prevention System (IPS) – IPS uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
Application Control– Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard service and the database for Application Control signatures is separate from the IPS database (Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection). Application Control signature database information is displayed under the System > FortiGuard page in the FortiCare section.
AntiVirus – The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
Web Filtering – Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on six major categories and nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages – all continuously updated.
Email Filtering – The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
Messaging Services – Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
DNS and DDNS – The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server. Configure the DDNS server settings using the CLI command:

config system fortiguard set ddns-server-ip set ddns-server-port

end

Support contract and FortiGuard subscription services

The FDN support Contract is available under System > FortiGuard.

The License Information area displays the status of your FortiGate’s support contract.

You can also manually update the AntiVirus and IPS engines.

Verifying your connection to FortiGuard

If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the FortiGuard services.

Verification – GUI:

The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.

You can also view the FortiGuard connection status by going to System > FortiGuard.

Verification – CLI:

You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection: execute ping guard.fortinet.net

You can also use the following diagnose command to find out what FortiGuard servers are available:

diagnose debug rating

From this command, you will see output similar to the following:

Locale : english License : Contract Expiration : Sun Jul 24 20:00:00 2011 Hostname : service.fortiguard.net -=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets	Curr Lost Total Lost
69.20.236.180 0 10 -5 77200	0 42
69.20.236.179 0 12 -5 52514	0 34
66.117.56.42 0 32 -5 34390	0 62
80.85.69.38 50 164 0 34430	0 11763
208.91.112.194 81 223 D -8 42530	0 8129
216.156.209.26 286 241 DI -8 55602	0 21555

An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.

The rating flags indicate the server status:

D	Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with ‘D’ and will be used first for INIT requests before falling back to the other servers.
I	Indicates the server to which the last INIT request was sent.
F	The server has not responded to requests and is considered to have failed.
T	The server is currently being timed.

The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.

The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight and the lower in the list it will appear.

Port assignment

The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command:

config system global set ip-src-port-range <start port>-<end port>

end

where the <start port> and <end port> are numbers ranging of 1024 to 25000.

For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:

config system global set ip-src-port-range 2048-20000

end

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:

l there is a NAT device installed between the unit and the FDN, and/or l your unit connects to the Internet using a proxy server.

Configuring Antivirus and IPS options

Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and IPS options for connecting and downloading definition files.

Accept push updates	Select to allow updates to be sent automatically to your FortiGate. New definitions will be added as soon as they are released by FortiGuard.
Use override push	Appears only if Accept push updates is enabled. Enable to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. Once enabled, enter the following: l Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate. l The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443.
Scheduled Updates	Enable for updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours. Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button.
Improve IPS quality	Enable to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs can be used to keep the database current as variants of attacks evolve.
Use extended IPS signature package	Regular IPS database protects against the latest common and in-the-wild attacks. Extended IPS database includes protection from legacy attacks.
Update AV & IPS Definitions	Select to manually initiate an FDN update.

Manual updates

To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in, select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus signature definitions which you can download.

Once downloaded to your computer, log into the FortiGate to load the definition file.

To load the definition file onto the FortiGate:

Go to System > FortiGuard.
In the License Information table, select the Upgrade Database link in either the Application Control Signature, IPS, or AntiVirus
In the pop-up window, select Upload and locate the downloaded file and select Open.

The upload may take a few minutes to complete.

Automatic updates

The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.

Scheduling updates

Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself.

Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the definition files.

To enable scheduled updates – GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Scheduled Updates.
Select the frequency of updates.
Select Apply.

To enable scheduled updates – CLI:

config system autoupdate schedule set status enable

set frequency {every | daily | weekly} set time <hh:mm> set day <day_of_week>

end

Push updates

Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.

When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.

To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.

To enable push updates – GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Accept push updates.
Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable

end

Push IP override

If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.

Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:

Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy & Objects > Virtual IPs.
Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP. l Configure the FortiGate on the internal network with an override push IP and port.

On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.

To enable push update override- GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Accept push updates.
Enable Use override push.
Enter the virtual IP address configured on the NAT device.
Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable set override enable set address <vip_address> end

Sending malware statistics to FortiGuard

To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to

FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security effectiveness by moving inactive signatures to an extended signature database.

The statistics include some non-personal information that identifies your FortiGate and its country. The information is never shared with external parties. You can choose to disable the sharing of this information by entering the following CLI command:

config system global set fds-statistics disable

end

Configuring web filtering and email filtering options

Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.

Web Filter Cache	Set the Time To Live (TTL) value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds.
Anti-Spam Cache	Set the TTL value (see above).
FortiGuard Filtering Port	Select the port assignments for contacting the FortiGuard servers.
Filtering Service Availability	Indicates the status of the filtering service. Select Check Again if the filtering service is not available.
Request re-evaluation of a URL’s category	Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.

Email filtering

The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the necessary actions as defined within the antivirus profiles.

Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.

By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.

To modify the antispam cache TTL – GUI:

Go to System > FortiGuard.
Under Filtering, enable Anti-Spam Cache.
Enter the TTL value in minutes.
Select Apply.

To modify the Anti-Spam filter TTL – CLI:

config system fortiguard set antispam-cache-ttl <integer>

end

Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These configurations are available through the Security Profiles > Anti-Spam menu.

Online security tools

The FortiGuard online center provides a number of online security tools, including but not limited to:

URL lookup — By entering a website address, you can see if it has been rated and what category and classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet

C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications: https://fortiguard.com/appcontrol

Firmware Management – FortiOS 6.2

Leave a reply

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site, Before you install any new firmware, be sure to follow the steps below:

Review the Release Notes for a new firmware release.
Review the Supported Upgrade Paths SysAdmin note on the Fortinet Cookbook site to prepare for the upgrade of FortiOS on your FortiGate.
Backup the current configuration, including local certificates. l Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Backing up the current configuration

You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate configuration.

Downloading

Firmware images for all FortiGate units are available on the Fortinet Support website.

To download firmware:

Log into the site using your user name and password.
Go to Download > Firmware Images.
A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.
Select Download.
Navigate to the folder for the firmware version you wish to use.
Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with ‘FWF’.
Save the firmware image to your computer.

Testing

The integrity of firmware images downloaded from Fortinet’s support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:

Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the FortiGate unit can connect to the TFTP server using the execute ping
Enter the following command to restart the FortiGate unit: execute reboot
As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu….
Immediately press any key to interrupt the system startup.
If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H:

Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.
The following message appears: Enter File Name [image.out]:
Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Upgrading firmware

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.

To upgrade the firmware – GUI:

Log into the GUI as the admin administrative user.
Go to System > Firmware.
Under Upload Firmware, select Browse and locate the firmware image file.
Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

To upgrade the firmware – CLI:

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Log into the CLI.
Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168 execute ping 192.168.1.168
Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

The FortiGate unit responds with the message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.

This process takes a few minutes.

Reconnect to the CLI.
Update antivirus and attack definitions:

execute update-now.

Reverting

The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To revert to a previous firmware version – GUI:

Log into the GUI as the admin user.
Go to System > Firmware
Under Upload Firmware, select Browse and locate the firmware image file.
Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

To revert to a previous firmware version – CLI:

Before beginning this procedure, it is recommended that you:

Backup the FortiGate unit system configuration using the command execute backup config
Backup the IPS custom signatures using the command execute backup ipsuserdefsig
Backup web content and email filtering lists.

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

Make sure that the TFTP server is running.
Copy the firmware image file to the root directory of the TFTP server.
Log in to the FortiGate CLI.
Make sure the FortiGate unit can connect to the TFTP server by using the execute ping
Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

The FortiGate unit responds with this message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
Reconnect to the CLI.
To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ipv4>

Update antivirus and attack definitions using the command:

execute update-now

Installation from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you backup the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To install firmware from a system reboot:

Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the internal interface is connected to the same network as the TFTP server.
To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
Enter the following command to restart the FortiGate unit: execute reboot
The FortiGate unit responds with the following message:

This operation will reboot the system!

Do you want to continue? (y/n)

Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H

Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network to which the interface is connected.
The following message appears: Enter File Name [image.out]:
Enter the firmware image filename and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring from a USB key

Log into the CLI.
Enter the following command to restore an unencrypted configuration file:

execute restore image usb Restore image from USB disk. {string} Image file name on the USB disk.

The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y.

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using FortiManager or script.

To load the firmware for later installation:

execute restore secondary-image {ftp | tftp | usb} <filename_str>

To set the FortiGate unit so that when it reboots, the new firmware is loaded:

execute set-next-reboot {primary | secondary}

where {primary | secondary} is the partition with the preloaded firmware.

Basic administration – FortiOS 6.2

Leave a reply

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your network.

Registration

In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.

Registering your FortiGate:

Go to the Dashboard and locate the Licenses
Click on FortiCare Support to display a pop-up window and Register.
In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country and Reseller.
Select OK.

FortiGate platforms don’t impose any limitations on the number or type of customers, users, devices, IP addresses, or number of VPN clients being served by the platform. Such factors are limited solely by the hardware capacity of each given model.

System settings

There are several system settings that should be configured once your FortiGate is installed:

Default administrator password on page 46
Settings on page 46 l Changing the host name on page 46 l System time on page 46 l Administration settings on page 47 l Password policy on page 48 l View settings on page 48 l Administrator password retries and lockout time on page 48

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:

Go to System > Administrators.
Edit the admin
Select Change Password.
Enter the New Password and re-enter the password for confirmation.
Select OK.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a

FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

To set the date and time

Go to the System > Settings.
Under System Time, select your Time Zone by using the drop-down menu.
Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:

Go to System > Settings.
Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout

Go to System > Settings.
In the Administration Settings section, enter the time in minutes in the Idle timeout
Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

minimum length between 8 and 64 characters.
if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

Go to System > Settings.
Configure Password Policy settings as required.
Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The adminlockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global set admin-lockout-threshold 1

Passwords

Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of letters, numbers, and upper and lower case. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
Make note of the password and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation, or leaves the company. Alternatively, have two different admin logins.

Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then log in after the downgrade and re-configure the password.

Password policy

minimum length between 8 and 64 characters.
if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

Go to System > Settings.
Configure Password Policy settings as required.
Click Apply.

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
Direct the backup to your Local PC or to a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
If backing up a VDOM configuration, select the VDOM name from the list.
Select Encryption.

Encryption must be enabled on the backup file to back up VPN certificates.

Enter a password and enter it again to confirm it. You will need this password to restore the file.
Select OK.
The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment> or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password> Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip> where:

l <cert_name> is the name of the server certificate. l <filename> is a name for the output file. l <tftp_ip> is the IP address assigned to the TFTP server host interface.

To restore the local certificates – GUI:

Move the output file from the TFTP server location to the management computer.
Go to System > Certificates and select Import.
Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
If required, enter the Password needed to upload the exported file.
Select OK.

To restore the local certificates – CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration – GUI:

Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

Enter the path and file name of the configuration file, or select Browse to locate the file.
Enter a password if required.
Select Restore.

To restore the FortiGate configuration – CLI:

execute restore config management-station normal 0 or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message	Reason and Solution
Configuration file error	This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware. Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.
Error message		Reason and Solution
Invalid password		When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file. Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

l Enable central management, or l obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command: execute factoryreset2

LED specifications – FortiOS 6.2

Leave a reply

LED specifications

LED status codes

For more information about alarms, see About Alarm Levels.

LABEL	STATE	MEANING
PWR	Green	Power is on.
	Off	Power is off.
LABEL STATE			MEANING
STA	Green		Normal status.
	Flashing Green		Booting up. If the FortiGate has a reset button, this could also means that the reset button was used.
	Red		The FortiGate has a critical alarm.
ALARM	Off		No alarms or the FortiGate has a minor alarm.
	Amber		The FortiGate has a major alarm.
	Red		The FortiGate has a critical alarm. The status LED will also be red.
HA	Green		FortiGate is operating in an FGCP HA cluster.
	Red		A failover has occurred. The failover operation feature is not available in all models.
	Off		HA not configured.
WIFI	Green		Wireless port is active.
	Flashing Green		Wireless interface is transmitting and receiving data.
	Off		Wireless interface is down.

About alarm levels

Minor, major, and critical alarms are defined based on IPMI, ATCA, and Telco standards for naming alarms.

A minor alarm (also called an IPMI non-critical (NC) alarm) indicates a temperature or a power level outside of the normal operating range that is not considered a problem. In the case of a minor temperature alarm, the system could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high power level) or a lower non-critical (LNC) threshold (for example, a low power level). The LEDs do not indicate minor alarms since user intervention is not required.
A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates that the system itself cannot correct the cause for the alarm and that intervention is required. For example, the cooling system cannot provide enough cooling to reduce the temperature. It could also mean that conditions (e.g. temperature) are approaching the outside limit of the allowed operating range. A critical threshold can also be an upper critical (UC) threshold (e.g. a high temperature or a high power level) or a lower critical (LC) threshold (e.g. a low power level).
A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates detection of a temperature or power level that is outside of the allowed operating range and could potentially cause physical damage.

LED status codes for ports

TYPE OF PORT		STATE	MEANING
Ethernet Ports Link / Activity		Green	Connected. On FortiGate models with front-facing ports, this LED is to the left of the port. On FortiGate models with ports at the back of the device, this LED is in the upper row.
TYPE OF PORT STATE				MEANING
	Flashing Green			Transmitting and receiving data.
	Off			No link established.
Ethernet Ports Speed	Green			Connected at 1Gbps. On FortiGate models with front-facing ports, this LED is to the right of the port. On FortiGate models with ports at the back of the device, this LED is in the lower row.
	Amber			Connected at 100Mbps.
	Off			Not connected or connected at 10Mbps.
SFP Ports	Green			Connected.
	Flashing Green			Transmitting and receiving data.
	Off			No link established.

FortiExplorer for iOS – FortiOS 6.2

2 Replies

FortiExplorer for iOS

FortiExplorer for iOS is a user-friendly application that helps you to quickly and easily configure, manage, and monitor

FortiGate appliances using an iOS device. FortiExplorer lets you rapidly provision, deploy, and monitor Security Fabric components including FortiGate, FortiWiFi, and FortiAP devices.

FortiExplorer for iOS requires iOS 9.3 or later and is compatible with iPhone, iPad, and iPod Touch. It is supported by FortiOS 5.6+ and is only available on the App Store for iOS devices.

Advanced features are available with the purchase of FortiExplorer Pro. Paid features include the ability to add more than two devices and the ability to download firmware images from FortiCare.

Up to six members can use this app with ‘Family Sharing’ enabled in the App Store.

Getting started with FortiExplorer

If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your iOS device is on the same network (see Connecting FortiExplorer to a FortiGate via WiFi). Otherwise, you will need to physically connect your iOS device to the FortiGate using a USB cable.

Connecting FortiExplorer to a FortiGate via USB

For the purpose of this document, we assume that you are just getting started; you do not have access to the FortiGate over the wireless network, and the FortiGate is in its factory configuration.

Connect your iOS device to your FortiGate’s USB management port.If prompted on your iOS device, Trust this ‘computer’.
Open the FortiExplorer app and select your FortiGate from the list under USB Attached Device.
On the Login screen, select USB.
Enter the default Username (admin) and leave the Password field blank.
You can opt to Remember Password. Tap Done when you are ready.
FortiExplorer opens the FortiGate management interface to the Device Status page:
Go to Network > Interfaces and configure the WAN interface(s).In the example, the wan1 interface Address mode is set to DHCP by default. Set it to Manual and enter its Address, Netmask, and Default Gateway, and then Apply your changes.
(Optional) Configure Administrative Access to allow HTTP and HTTPS This will allow administrators to access the FortiGate GUI using a web browser.
Go to Network > Interfaces and configure the local network (internal) interface.Set the Address mode as before and configure Administrative Access if desired.
Configure a DHCP Server for the internal network subnet.
Return to the internal interface using the < button at the top of the screen.
Go to Network > Static Routes and configure the static route to the gateway.
Go to Policy & Objects > IPv4 Policy and edit the Internet access policy. As a best practice, provide a Name for the policy, enable the desired Security Profiles, and configure Logging Options. Select OK to finalize.

Running a Security Fabric Rating

The FortiGate is now configured in a very basic state. Once you’ve configured the other potential elements of your network, such as other Interfaces, Schedules, or Managed FortiAPs, it is recommended that you run a Security Fabric Rating to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Go to Security Fabric > Security Rating and follow the steps to determine a Security Score for the selected device (s). The results should identify issues ranging from Medium to Critical importance, and may provide recommended actions where possible.

Connecting FortiExplorer to a FortiGate via WiFi

If your FortiGate is accessible on the wireless network, you can connect to it using FortiExplorer provided that your iOS device is on the same network. Assuming this is the case:

Open the FortiExplorer app and select Add from the Devices
Enter the Host information and appropriate Username and Password If necessary, change the default Port number, and opt to Remember Password.
If the FortiGate device identity cannot be verified, click Connect at the prompt. FortiExplorer opens the FortiGate management interface to the Device Status

Upgrading to FortiExplorer Pro

Paid features provided with the purchase of FortiExplorer Pro include the ability to add more than two devices and the ability to download firmware images from FortiCare.

To upgrade to FortiExplorer Pro, open the FortiExplorer app, go to Settings and select Upgrade to FortiExplorer Pro. Follow the on-screen prompts.

Tips – FortiOS 6.2

Leave a reply

Tips

Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.

Help

To display brief help during command entry, press the question mark (?) key.

Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or subsequent words, and to display a description of each.

Shortcuts and key commands

Keys	Action
?	List valid word completions or subsequent words. If multiple words could complete your entry, display all possible completions with helpful descriptions of each.
Tab	Complete the word with the next available match. Press the Tab key multiple times to cycle through available matches.
Keys		Action
Up arrow, or Ctrl + P		Recall the previous command. Command memory is limited to the current session.
Down arrow, or Ctrl + N		Recall the next command.
Left or Right arrow		Move the cursor left or right within the command line.
Ctrl + A		Move the cursor to the beginning of the command line.
Ctrl + E		Move the cursor to the end of the command line.
Ctrl + B		Move the cursor backwards one word.
Ctrl + F		Move the cursor forwards one word.
Ctrl + D		Delete the current character.
Ctrl + C		Abort current interactive commands, such as when entering multiple lines. If you are not currently within an interactive command such as config or edit, this closes the CLI connection.
\ then Enter		Continue typing a command on the next line for a multiline command. For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command line, terminate it by pressing the spacebar and then the Enter key, without an immediately preceding backslash.

Command abbreviation

You can abbreviate words in the command line to their smallest number of non-ambiguous characters.

For example, the command get system status could be abbreviated to g sy stat.

Adding and removing options from lists

When adding options to a list, such as a user group, using the set command will remove the previous configuration. For example, if you wish to add user D to a user group that already contains members A, B, and C, the command would need to be set member A B C D. If only set member D was used, then all former members would be removed from the group.

However, there are additional commands which can be used instead of set for changing options in a list.

Additional commands for lists

append

Add an option to an existing list.

For example, append member would add user D to a user group while all previous group members are retained

select

Clear all options except for those specified.

For example, if a group contains members A, B, C, and D and you remove all users except for B, use the command select member B.

unselect

Remove an option from an existing list.

For example, unselect member A would remove member A from a group will all previous group members are retained.

Environment variables

The CLI supports the following environment variables. Variable names are case-sensitive.

Environment variables

$USERFROM	The management access type (ssh, telnet, jsconsole for the CLI Console widget in the GUI, and so on) and the IP address of the administrator that configured the item.
$USERNAME	The account name of the administrator that configured the item.
$SerialNum	The serial number of the FortiGate unit.

For example, the FortiGate unit’s host name can be set to its serial number:

config system global set hostname $SerialNum

end

Special characters

The following special characters, also known as reserved characters, are not permitted in most CLI fields: <, >, (, ), #, ‘, and “. You may be able to enter special characters as part of a string’s value by using a special command, enclosing it in quotes, or preceding it with an escape sequence — in this case, a backslash ( \ ) character.

In other cases, different keystrokes are required to input a special character. If you need to enter ? as part of config, you first need to input CTRL-V. If you enter ? without first using CTRL-V, the question mark has a different meaning in the CLI; it will show available command options in that section.

For example, if you enter ? without CTRL-V:

edit “*.xe token line: Unmatched double quote.

If you enter ? with CTRL-V:

edit “*.xe?” new entry ‘*.xe?’ added

Entering special characters

Character	Keys
?	Ctrl + V then ?
Tab	Ctrl + V then Tab
Space (to be interpreted as part of a string value, not to end the string)	Enclose the string in quotation marks: “Security Administrator”. Enclose the string in single quotes: ‘Security Administrator’.
Character		Keys
		Precede the space with a backslash: Security\ Administrator.
‘ (to be interpreted as part of a string value, not to end the string)		\’
“ (to be interpreted as part of a string value, not to end the string)		\”
\		\\

Using grep to filter get and show command output

In many cases, the get and show (and diagnose) commands may produce a large amount of output. If you are looking for specific information in a large get or show command output, you can use the grep command to filter the output to only display what you are looking for. The grep command is based on the standard UNIX grep, used for searching text output based on regular expressions.

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddr Current_HWaddr 00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line number in the output:

get system session list | grep -n tcp

Use the following command to display all lines in HTTP replacement message commands that contain URL (upper or lower case):

show system replacemsg http | grep -i url

There are three additional options that can be applied to grep:

<num> After
<num> Before
<num> Context

The option -f is also available to support contextual output, in order to show the complete configuration. The following example shows the difference in output when -f option is used versus when it is not.

Using -f:

show | grep -f ldap-group1 config user group edit “ldap-group1” set member “pc40-LDAP”

end

config firewall policy edit 2 set srcintf “port31” set dstintf “port32”

set srcaddr “all” set action accept set identity-based enable set nat enable

config identity-based-policy edit 1 set schedule “always” set groups “ldap-group1”

set dstaddr “all”

set service “ALL”

end

Without using -f:

show | grep ldap-group1 edit “ldap-group1” set groups “ldap-group1”

Language support and regular expressions

Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but some items with arbitrary names or values may be input using your language of choice. To use other languages in those cases, you must use the correct encoding.

Input is stored using Unicode UTF-8 encoding but is not normalized from other encodings into UTF-8 before it is stored. If your input method encodes some characters differently than in UTF-8, your configured items may not display or operate as expected.

Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may not be what you expect.

For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as the symbol for the Japanese yen ( ¥ ) and vice versa. A regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work it if the symbol is entered using the wrong encoding.

For best results, you should:

use UTF-8 encoding, or
use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other encodings, or l for regular expressions that must match HTTP requests, use the same encoding as your HTTP clients.

HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the client’s operating system or input language. If you cannot predict the client’s encoding, you may only be able to match any parts of the request that are in English, because regardless of the encoding, the values for English characters tend to be encoded identically. For example, English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted as GB2312.

If you configure your FortiGate unit using other encodings, you may need to switch language settings on your management computer, including for your web browser or Telnet/SSH client. For instructions on how to configure your management computer’s operating system language, locale, or input method, see its documentation.

If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all systems interacting with the FortiGate unit also support the same encodings. You should also use the same encoding throughout the configuration if possible in order to avoid needing to switch the language settings of the GUI and your web browser or Telnet/SSH client while you work.

Similarly to input, your web browser or CLI client should normally interpret display output as encoded using UTF-8. If it does not, your configured items may not display correctly in the GUI or CLI. Exceptions include items such as regular expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that the FortiGate unit receives.

To enter non-ASCII characters in the CLI console:

On your management computer, start your web browser and go to the URL for the FortiGate unit’s GUI.
Configure your web browser to interpret the page as UTF-8 encoded.
Log in to the FortiGate unit.
Open the CLI Console from the upper right-hand corner.
In the title bar of the CLI Console widget, click Edit (the pencil icon).
Enable Use external command input box and select OK.
The Command field appears below the usual input and display area of the CLI Console .
Type a command in this field and press Enter.

In the display area, the CLI Console widget displays your previous command interpreted into its character code equivalent, such as:

edit \743\601\613\743\601\652

and the command’s output.

To enter non-ASCII characters in a Telnet/SSH client

On your management computer, start your Telnet or SSH client.
Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.

Support for sending and receiving international characters varies by each Telnet/SSH client. Consult the documentation for your Telnet/SSH client.

Log in to the FortiGate unit.
At the command prompt, type your command and press Enter.

You may need to surround words that use encoded characters with single quotes ( ‘ ).

Depending on your Telnet/SSH client’s support for your language’s input methods and for sending international characters, you may need to interpret them into character codes before pressing Enter. For example, you might need to enter: edit ‘\743\601\613\743\601\652’

The CLI displays your previous command and its output.

Screen paging

You can configure the CLI to pause after displaying each page’s worth of text when displaying multiple pages of output.

When the display pauses, the last line displays –More–. You can then either:

l press the spacebar to display the next page. l type Q to truncate the output and return to the command prompt.

This may be useful when displaying lengthy output, such as the list of possible matching commands for command completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal emulator, you can simply display one page at a time.

To configure the CLI Console to pause display when the screen is full:

config system console set output more

end

Baud rate

You can change the default baud rate of the local console connection.

To change the baud rate enter the following commands:

config system console set baudrate {9600 | 19200 | 38400 | 57600 | 115200} end

Editing the configuration file on an external host

You can edit the FortiGate configuration on an external host by first backing up the configuration file to a TFTP server. Then edit the configuration file and restore it to the FortiGate unit.

Editing the configuration on an external host can be timesaving if you have many changes to make, especially if your plain text editor provides advanced features such as batch changes.

To edit the configuration on your computer:

Use execute backup to download the configuration file to a TFTP server, such as your management computer.
Edit the configuration file using a plain text editor that supports Unix-style line endings.

Do not edit the first line. The first line(s) of the configuration file (preceded by a # character) contains information about the firmware version and FortiGate model. If you change the model number, the FortiGate unit will reject the configuration file when you attempt to restore it.

Use execute restore to upload the modified configuration file back to your FortiGate.

The FortiGate downloads the configuration file and checks that the model information is correct. If it is correct, the

FortiGate unit loads the configuration file and checks each command for errors. If a command is invalid, the FortiGate unit ignores the command. If the configuration file is valid, the FortiGate unit restarts and loads the new configuration.

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: FortiGate

Troubleshooting your installation – FortiOS 6.2

FortiCloud – FortiOS 6.2

FortiGuard – FortiOS 6.2

Firmware Management – FortiOS 6.2

Basic administration – FortiOS 6.2

LED specifications – FortiOS 6.2

FortiExplorer for iOS – FortiOS 6.2

Tips – FortiOS 6.2

set dstaddr “all”